Hacker News new | ask | show | jobs
by electic 4212 days ago
Telegram bashing aside, this is very wrong. It is always better to have the source code to inspect the entire package. Without the source code, there is no way to fully verify the security of a solution. For Telegram and WhatsApp, the clients and server code should be released if you want to make sure.
2 comments
smtddr 4212 days ago
No, you're wrong.

People can give you whatever source code they want. That doesn't meant it's the same as what's running in production. While this is tin-foil-hat paranoia, when it comes to encryption software in this post-snowden world it is definitely more reliable to reverse-engineer the binary & network traffic than to just believe the provided source-code to encryption in a popular social app. Or compile the app from source that has been verified by trusted people. Definitely not believing that a binary blob running on your hardware is the same as the provided source.

That said, it's also good to ask for source code so later on when reverse-engineering shows something different you've now caught the offending party in a lie; which is something good to have on record to refer to later on.

link
electic 4212 days ago
> Without the source code, there is no way to fully verify the security of a solution.

So you are telling me if you had the source code you would not be able to verify the code and also use the code to fully verify the expected behavior of the binary?

link
tptacek 4211 days ago
It is not as easy to verify source code as it sounds.
link
electic 4211 days ago
and it is not easy to do black box testing either.
link
wglb 4212 days ago
this is very wrong: No, it is quite correct. It is slightly more convenient to have the source code, But then again, it can be misleading, as you don't know if that source code is actually corresponding to the binary that is actually executing.
link
thanksgiving 4212 days ago
Open sourcing/Making available for inspection the source code of an application is not enough if the herd just uses the pre built binaries instead of compiling it themselves. Perhaps we can someday have free and open source software with reproducible builds[0]?

[0] https://wiki.debian.org/ReproducibleBuilds

link